US customers buying software from Australian SaaS companies often ask for a SOC 2 report before they sign. SOC 2 is an AICPA attestation report written by an independent licensed CPA firm against the Trust Services Criteria, not a certification. For most US deals the ask is a Type II, covering how your controls operated over a period, commonly 3 to 12 months.
The first time an Australian SaaS company hears the words “send us your SOC 2” it is usually mid way through a deal with a United States buyer. No Australian law requires it. The buyer’s procurement and security team does. SOC 2 has become the document a US enterprise expects to see before it trusts an outside vendor with its data, and not having one stalls the contract.
Why do US customers ask Australian SaaS companies for SOC 2?
The ask comes from the buyer’s third party risk process, not from any regulation. A US enterprise that puts its data into your platform has to satisfy its own auditors and security team that you are a safe vendor, and a SOC 2 report is the artefact they recognise. It is a SOC 2 report written by a licensed CPA firm, shared under NDA because it is a restricted use document, that lets their reviewers tick the box without auditing you themselves.
Geography drives which framework gets asked for. SOC 2 is the United States norm. ISO 27001 is more often the expectation in Europe, much of Asia, and Australian government tenders. An Australian SaaS company selling across regions frequently ends up needing both. The trigger is the buyer and the deal, not your size.
Is SOC 2 a certification, and who can issue it?
No. SOC 2 is an attestation report, not a certification. It is produced under the AICPA attestation standards, SSAE No. 18 and the examination requirements of AT-C section 205, and only an independent licensed CPA firm can write it. There is no certificate to frame and no pass mark. The deliverable is the auditor’s report and opinion on your controls.
This catches teams out. They expect a logo and a tick. What they receive is a report a US buyer’s auditor reads. That is the point of difference from ISO 27001, which is a certifiable standard an accredited body audits you against on a three year cycle. SOC 2 is renewed each year against your own control commitments.
Do you need SOC 2 or ISO 27001 to sell into the US?
For United States customers, SOC 2 is usually the ask. For European, Asian and Australian tenders, ISO 27001 is more often expected. They are different instruments built for different buyers, and the good news is they overlap heavily, so the second one is cheaper than the first.
| What it is | SOC 2 | ISO 27001 |
|---|---|---|
| Type of assurance | AICPA attestation report and opinion | Certification against a standard |
| Who issues it | An independent licensed CPA firm | An accredited certification body |
| Common buyer | United States customers | Europe, Asia, Australian tenders |
| Measured against | Your own commitments under the Trust Services Criteria | A fixed management system standard |
| Cycle | Renewed each year | Three year cycle with annual surveillance |
| Use | Restricted use, shared under NDA | Certificate is public |
The AICPA publishes an official mapping of the 2017 Trust Services Criteria to ISO 27001, which confirms substantial control overlap. If you already hold ISO 27001, much of the evidence carries across to a SOC 2, though neither report substitutes for the other. Many SaaS companies start with whichever their biggest buyers demand, then add the second as they sell into new regions.
Should you get a Type I or a Type II report?
Type I reports on whether your controls are suitably designed at a point in time. Type II reports on whether they operated effectively over a period, commonly 3 to 12 months. US enterprise buyers usually want the Type II. It is the one that proves the controls actually ran, not that they looked right on the day.
A Type I is a reasonable first step when a deal is moving fast and you have nothing yet, because it can be produced sooner. But expect the buyer to come back for a Type II at renewal. The detail of when each fits sits in SOC 2 Type I vs Type II. The observation period, not the audit itself, sets how long the Type II takes, which is covered in how long SOC 2 takes.
How do you scope SOC 2 for a SaaS platform?
Security, the common criteria, is mandatory in every SOC 2. Availability, Processing Integrity, Confidentiality and Privacy are added only where you make commitments in those areas. A SaaS platform that promises uptime in its contracts will usually scope in Availability; one that handles personal data may scope in Confidentiality or Privacy. Each added category widens the scope, the cost and the time, so add what your customers actually require, not the full set by default.
Scope the system and the service that customers use, not necessarily the whole company. The points of focus the AICPA lists under each criterion are considerations, not a checklist, and not all apply to every entity. Get the boundary right early, because widening it later means more controls to evidence. The full set is explained in the Trust Services Criteria, and the practical preparation in the SOC 2 readiness checklist.
Can you reuse ISO 27001 work, and what does it cost?
Yes, substantially. Because the AICPA mapping ties the Trust Services Criteria to ISO 27001, an organisation that has built an ISO management system can reuse most of that evidence for SOC 2. The reuse runs mostly one way, from ISO to SOC 2. Cost is driven by the readiness work, the CPA firm’s examination fee, any tooling, and the internal effort across the observation period, not by a single day rate. The drivers are set out in SOC 2 cost, and the wider picture in the SOC 2 guide.
No. There is no law requiring SOC 2. The requirement comes from US customers and their third party risk reviews, which expect a SOC 2 report before they trust a vendor with their data.
No. SOC 2 is an attestation report written by an independent licensed CPA firm under the AICPA standards. There is no certificate and no pass mark. The deliverable is the auditor’s report and opinion.
US enterprise buyers usually want a Type II, which reports how your controls operated over a period, commonly 3 to 12 months. A Type I, which reports design at a point in time, is sometimes accepted as a first step.
Sometimes, but many US buyers specifically ask for SOC 2. ISO 27001 work carries across to SOC 2 through the AICPA mapping, so holding one makes the other faster, but neither substitutes for the other.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Talk to us. We aren’t always chasing a transaction.
Sources:
- AICPA, 2017 Trust Services Criteria (with Revised Points of Focus, 2022), 2022
- AICPA, SOC 2 reporting guidance, accessed June 2026
- AICPA, Mapping of the 2017 Trust Services Criteria to ISO 27001, accessed June 2026
Last updated: 21 June, 2026